rule MAL_Katz_Stealer_May25 {
   meta:
      description = "Detects Katz stealer"
      author = "MalGamy (Nextron Systems)"
      date = "2025-05-16"
      reference = "Internal Research"
      hash = "fdc86a5b3d7df37a72c3272836f743747c47bfbc538f05af9ecf78547fa2e789"
      hash = "d92bb6e47cb0a0bdbb51403528ccfe643a9329476af53b5a729f04a4d2139647"
      score = 80
   strings:
      $s1 = "Motherboard Product: %s" ascii
      $s2 = "cmd.exe /c %s" ascii
      $s3 = "reg export \"%s\" \"%s\" /y" ascii
      $s4 = ").request({ hostname: '" ascii
      $s5 = "Type: Removable"
      $s6 = "%s\\Microsoft\\Windows Live Mail" ascii
   condition:
      uint16(0) == 0x5a4d
      and filesize < 300KB
      and 4 of them
}

rule MAL_DLL_Chrome_App_Bound_Encryption_Decryption_May25 {
   meta:
      description = "Detects a DLL used to decrypt App-Bound Encrypted (ABE) cookies, passwords and payment methods from Chromium-based browsers. Seen being used by Katz stealer"
      author = "MAlGamy"
      date = "2025-05-19"
      reference = "Internal Research"
      hash = "6dc8e99da68b703e86fa90a8794add87614f254f804a8d5d65927e0676107a9d"
      score = 80
   strings:
      $s1 = "Failed to set proxy blanket." ascii
      $s2 = "Decryption failed. Last error:" ascii
      $s3 = "\\Google\\Chrome\\User Data\\Local State" ascii

      $op1 = {48 39 F3 74 ?? 4C 89 E2 48 89 E9 E8 ?? ?? ?? ?? 48 89 C1 48 8B 00 B2 ?? 48 8B 40 ?? 48 C7 44 01 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F B6 13 48 89 C1 E8 ?? ?? ?? ?? 48 FF C3 EB ?? 48 8D 54 24 ?? 48 89 F9 E8 ?? ?? ?? ?? 48 89 E9 E8 ?? ?? ?? ?? 48 89 F8 48 81 C4}
   condition:
      uint16(0) == 0x5a4d
      and filesize < 2MB
      and $op1 and 1 of ($s*)
}

rule SUSP_Katz_Log_May25 {
   meta:
      description = "Detects log file that contains system reconnaissance data, seen being generated by Katz stealer"
      author = "MalGamy"
      date = "2025-05-20"
      reference = "Internal Research"
      hash = "1ac196ac6393d786618c944a7ab77fb189a6b4ba00af5c0f987c3dc65876c060"
      hash = "ad76e2727469525dec7e56977589dd250ca57a29b8b0d42cd5c42e536c285241"
      hash = "e1a0d6929662bcbc9e5e0827cb8b6d7818088e996cf971d2a4a1c1ca4208e533"
      hash = "b10796c41e1cec7c84a3c68bfcaa7b20f49b620d1c94304a6b3ed73471fa9031"
      hash = "5a984e2e308fe84e4e2071dd877772361719ba0217c2c23da79dbb82dc15eac8"
      score = 65
   strings:
      $s1 = "Motherboard Manufacturer:" ascii
      $s2 = "===== System Information =====" ascii
      $s3 = "Volume Name:" ascii
      $s4 = "Desktop Hostname:" ascii
   condition:
      filesize < 50KB
      and 3 of them
}

rule MAL_NET_Katz_Stealer_Loader_May25 {
   meta:
      description = "Detects .NET based Katz stealer loader"
      author = "Jonathan Peters (cod3nym)"
      date = "2025-05-21"
      reference = "Internal Research"
      hash = "0df13fd42fb4a4374981474ea87895a3830eddcc7f3bd494e76acd604c4004f7"
      score = 80
   strings:
      $x = "ExecutarMetodoVAI" ascii

      $s1 = "VirtualMachineDetector" ascii
      $s2 = "Wow64SetThreadContext_API" ascii
      $s3 = "nomedoarquivo" ascii
      $s4 = { 65 78 74 65 6E C3 A7 61 6F 00 }
      $s5 = "payloadBuffer" ascii
      $s6 = "caminhovbs" ascii
   condition:
      3 of ($s*) or $x
}

rule MAL_NET_UAC_Bypass_May25 {
   meta:
      description = "Detects .NET based tool abusing legitimate Windows utility cmstp.exe to bypass UAC (User-Admin-Controls)"
      author = "Jonathan Peters (cod3nym)"
      date = "2025-05-21"
      reference = "Internal Research"
      hash = "4f12c5dca2099492d0c0cd22edef841cbe8360af9be2d8e9b57c2f83d401c1a7"
      hash = "fcad234dc2ad5e2d8215bcf6caac29aef62666c34564e723fa6d2eee8b6468ed"
      score = 80
   strings:
      $x1 = "CmstpBypass" ascii
      $x2 = { 52 00 45 00 50 00 4C 00 41 00 43 00 45 00 5F 00 43 00 4F 00 4D 00 4D 00 41 00 4E 00 44 00 5F 00 4C 00 49 00 4E 00 45 00 00 13 63 00 6D 00 73 00 74 00 70 00 2E 00 65 00 78 00 65 00 00 33 63 00 6D 00 73 00 74 00 70 00 2E 00 65 00 78 00 65 }
      $x3 = { 52 00 45 00 50 00 4C 00 41 00 43 00 45 00 5F 00 43 00 4F 00 4D 00 4D 00 41 00 4E 00 44 00 5F 00 4C 00 49 00 4E 00 45 00 0D 00 0A 00 74 00 61 00 73 00 6B 00 6B 00 69 00 6C 00 6C 00 20 00 2F 00 49 00 4D 00 20 00 63 00 6D 00 73 00 74 00 70 00 2E 00 65 00 78 00 65 }
   condition:
      uint16(0) == 0x5a4d
      and $x1
      or 1 of ($x2,$x3)
}
